Skip to main content

What the Californian Consumer Privacy Act and the GDPR mean for consumers and tour businesses

*The information below is a summation of two pieces of consumer privacy laws and it in no way represents legal advice.

Regarded as one of the most sweeping data-privacy laws in the US to strengthen consumer security, the California Consumer Privacy Act entered into force in January 2020(opens in a new tab). In simple terms, this law aims to empower consumers to access, alter or remove their personal data that is held by certain businesses. For companies, it promotes transparency of the use of personal data and its trade between organisations. Californian businesses need to meet one of three thresholds for this law to impact them:

  • deriving 50% revenue from selling consumers’ personal data;
  • having an annual gross revenue of over $25 million; or,
  • those companies that buy, sell or receive the personal information of at least 50,000 individuals, households or devices.

However, this law will likely impact all types of businesses extensively, including in the travel industry. Here, we will explain what consumer privacy laws are and how they will impact tour operators.

Personal data and why it needs protecting

According to this new legislation, personal data can include(opens in a new tab) financial information, health data, geolocation, family information and household purchasing data, just to name a few. Put simply, personal data means any stored identifying information such as names, addresses, credit card information, age, email addresses and phone numbers. Data processing firms buy, sell and trade this information in order to target advertisements, identify markets, prevent fraud or report on consumer activity, among other reasons. This is often done without the consumer’s knowledge (unless you are one of the 3-8% of people who read the terms and conditions(opens in a new tab)).

California Consumer Privacy Act

This new law will require consumers to opt-in to having their data stored and shared, rather than having to opt-out. It also requires companies to explain in simple, concise terms the reasons for the data collection and, if this changes, request a reiteration of the consumer’s consent. What’s more, consumers will now be able to request access to the information that is stored by the company without reasonable delay while also offering them the power to request that the data is erased or transferred elsewhere.

California being the state to implement such a law is no coincidence, considering it hosts the highest concentration of technology companies(opens in a new tab) in the world. Silicon Valley is the reason that the state’s economy is the largest in America and among the largest in the world. For this reason, a law like this is likely to have far-reaching effects on almost all other industries and represents a shift in consumer privacy laws that started with Europe’s own General Data Protection Regulation (GDPR).

European Union General Data Protection Regulation

The GDPR came into force in May 2018, reportedly received over 95,000 consumer complaints(opens in a new tab) in under a year (by January 2019). Although similar in scope to the Californian Act, the GDPR impacts more businesses and individuals. This is because even if you’re simply marketing your goods or services(opens in a new tab) to the EU (while not necessarily operating within it), then the law applies to you. This means that consumers have more rights and businesses must practice more transparency in their use of personal data. In addition, sensitive identity information is given stricter conditions to protect users regarding things like race, gender, political affiliation, health-related data and more. Similar to the CA Consumer Privacy Act, businesses are required to express how they process personal data in clear and simple language rather than through legal jargon and longform fineprint.

Tour Operators

The Californian statute and EU regulation only applies to certain businesses, but that includes tour companies or DMCs(opens in a new tab) to some degree. While the Californian Act applies to a fairly specific group of business, the GDPR on the other hand, applies to all organisations(opens in a new tab) that process and store the data of EU citizens. So how can you be prepared for this new data era?

The need for good data practices and transparency is becoming more and more relevant to all companies. There are a few things that every business should be doing, regardless of whether they are impacted by either of these privacy laws. You never know when consumer privacy laws will affect or apply to you, so it’s a wise idea to be prepared ahead of time with these useful tips:

  1. Have explicit consent from your customers to store and use their data. This should be in an opt-in format that offers concise and transparent details around how personal data is being processed.
  2. Consider any software or third-party services that your business uses to collect data. These companies might be impacted even if you aren’t, so you may need to review contracts and discuss what they are doing to meet these new requirements.
  3. Alter your privacy policy so that your company is in line with the change rather than behind it. Adapt your onboarding or sign-up process so that consent is as clear as possible.
  4. Organise the data that you have stored, and be prepared to transfer or delete it or explain what it is used for if requested.


Technology and the internet continues to evolve at an unprecedented rate and although the legislative process is slower, it is beginning to catch up. 2018 was the first time in history that more people were online than offline(opens in a new tab), and moving into 2020, this will only continue to grow. Now more than ever, it is crucial for companies to have good data practices because information continues to operate as an economy within the tech-industry. If you need help updating your website to ensure the information you collect is handled the right way, Tourism Tiger can help(opens in a new tab). Consumers are now aware that when they aren’t paying for a product, they are the product, which means that having control over your own online identity is becoming increasingly important.

Find this article useful? Enter your details below to receive your FREE copy of 95 Epic Places To List Your Tours and receive regular updates from Tourism Tiger and leading industry experts.

By submitting this form, you agree to Tourism Tiger contacting you via email.

(opens in a new tab)